BrickerBot Malware Takes Down 2 Million IoT Devices

Two million insecure Internet of Things (IoT) connected devices have been taken down according to the author of the BrickerBot malware.

The hacker goes by the name of Janitor on the Hack Forums discussion boards. According to an alert circulated just last week by the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), "BrickerBot.1 and BrickerBot.2 exploit hard-coded passwords, exposed SSH, and brute force Telnet."

When BrickerBot finds and exposed device, it rewrites the flash storage of the devices with junk. This makes the device unusable unless a firmware reinstall is done which can bring the device back to use. However, some devices will find it hard to find a flash.

Organizations are being advised to disable both SSH and Telnet access by the ICS-CERT.

The two variants of BrickerBot have these features:

• BrickerBot.1 targets devices running BusyBox with an exposed Telnet command window. These devices also have SSH exposed through an older version of Dropbear SSH server. Most of these devices were also identified as Ubquiti network devices running outdated firmware. BrickerBot.1 was active for just five days in March, according to Radware, and attacks from this malware have now ceased;

• BrickerBot.2 targets Linux-based devices which may or may not run BusyBox, and which expose a Telnet service protected by default or hard-coded passwords. The source of the attacks is concealed by TOR exit nodes.

Janitor claims justification for the action because he feels he is taking compromised devices out of circulation.